Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

f0815e3a86...35.exe

windows7-x64

10

f0815e3a86...35.exe

windows10-2004-x64

7

$PLUGINSDIR/upspw.dll

windows7-x64

10

$PLUGINSDIR/upspw.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    122s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24/11/2024, 01:20 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $PLUGINSDIR/upspw.dll

  • Size

    20KB

  • MD5

    0f91acfbdd02bae9c793e8e8a4b70c95

  • SHA1

    78e61c3a75786e9667f299d99509b0d10e1860fc

  • SHA256

    cae5f924fa04faa67dd7033706ee6af0e045c91b2e2d10c03cd45182a9b3da31

  • SHA512

    f9ae967537378efb79b9d43e9b987903137d5f0643bb39379284e68d51028ac8c4cf6652bf8019f6de77834095c127b6281a84a4f98e574d889197fec582b479

  • SSDEEP

    384:PkNXKtjQfcNzoFqacGdJ+flViKEtKGmk33:PkNXKtu3D0flkK+H

Score
10/10
agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot1948592798:AAEPqwEad_OoXqml68rtg1qHOajQ46ljm48/sendDocument

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Agenttesla family
    agenttesla
  • AgentTesla payload 4 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\upspw.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\upspw.dll,#1
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2820
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\upspw.dll,#1
        3⤵
        • Accesses Microsoft Outlook profiles
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:2836

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2820-0-0x0000000010005000-0x0000000010007000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2836-1-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2836-3-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2836-5-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2836-6-0x0000000073B9E000-0x0000000073B9F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2836-7-0x00000000003A0000-0x00000000003DC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2836-8-0x0000000073B90000-0x000000007427E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2836-9-0x0000000073B90000-0x000000007427E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2836-10-0x0000000073B90000-0x000000007427E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2836-11-0x0000000073B9E000-0x0000000073B9F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2836-12-0x0000000073B90000-0x000000007427E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2836-13-0x0000000073B90000-0x000000007427E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2836-14-0x0000000073B90000-0x000000007427E000-memory.dmp

    Filesize

    6.9MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.